In a matter of days, the holidays will be here. As last-minute gifts are wrapped, flights are boarded, and festive gatherings commence, the flurry of preparation surrounding the holidays will fade into the distance, and the world will settle in to enjoy their Hanukkah and Christmas celebrations.
But until then, consumers will continue to push through the mad rush known as the holiday shopping season. Luckily, with the shift to online shopping within the last several years, checking your list twice has become much easier, and can often occur while making purchases from one’s couch.
For consumers, e-commerce options simplify the holiday shopping madness. For retailers, selling goods online has opened lucrative channels for additional spending that go way beyond customers walking through the doors of a store to purchase. Today’s consumers shop online for Black Friday, Cyber Monday, Small Business Saturday, and Super Saturday (the last Saturday before Christmas) and can even order goods from online retailers just hours before Santa arrives.
E-commerce has revolutionized the holiday shopping experience and represents massive growth in just a few short years. Back in 2015, online sales reached $83 billion in the U.S. during November and December and 7.4% of total retail sales worldwide. Fast forward to 2022, when U.S. e-commerce sales are expected to reach $236 billion, $6.51 trillion by 2023, and hitting 24% of total retail sales worldwide in 2026.
With Growth Comes Opportunity
As merchants busily preparing for the largest shopping season of the year– so too do holiday scammers. Early this fall, online thieves were already pinging websites, making small purchases on stolen credit cards and identifying which cards would work for larger purchases on Black Friday and Cyber Monday.
A recent study released by Juniper Research reveals that e-commerce fraud will exceed $48 billion globally in 2023, up from $41 billion in 2022. Chargeback charges continue to show no mercy on merchants, as they are expected to pay over $100 billion in 2023 – an estimated annual growth rate of 1.5%.
With more than half of all fraud occurring between September and December, and chargeback rates increasing by up to 50% during peak shopping periods, there’s no doubt that holiday credit card fraud is a real threat. But why are the holidays a prime time for hackers to strike?
According to the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), there is a pattern of increased “highly impactful” attacks occurring during and around holidays in the United States. The agencies suggest that cybercriminals strategically target American holidays to breach enterprise networks because they know offices are short-staffed and response times to cyber events are likely to be dramatically reduced. Further, because employees often travel during and around holidays, companies may need to call in third-party experts to handle a breach. The result is more valuable time for hackers to propagate a ransomware attack, for example, as the outside experts take stock of a new network.
Hackers Are Cashing in on the Holidays
With the holiday buying season in full swing, fraudsters are looking to take advantage of unsuspecting businesses and consumers during the uptick in purchases. The Cybersecurity & Infrastructure Security Agency (CISA) and the FBI released a joint statement encouraging everyone to examine their current cybersecurity measures against cyber threats to help evaluate and mitigate any potential risks.
Here are some common types of fraud businesses should be aware of during the holiday season and how to avoid the risk of a cyberattack trap.

Chargeback Fraud
This type of fraud involves online buyers attempting to secure a refund without returning the product using the chargeback process, effectively receiving it for “free.” Instead of contacting the merchant directly for a refund, consumers will dispute the transaction with their bank claiming that they didn’t make the purchase, never received the item, or that they sent back an item when they didn’t.
Since card issuers often receive an overwhelming amount of chargeback requests, many will greenlight the request with little to no evidence, passing the damage on to the business.
While not the most well-known form of fraud, holiday chargebacks are the bane of many retailers. A chargeback is meant to protect cardholders by providing them with a way to secure refunds for fraudulent charges. However, fraudsters take advantage of chargebacks by using them to receive refunds for products they don’t return.
By the time chargebacks are fully accounted for 60 to 90 days after the holidays, it is often too late to stop the fraud. The delayed reporting of chargebacks also means that merchants get a distorted picture of their holiday performance, with losses not showing up until weeks or perhaps months later.
Card Testing
Fraudsters use card testing to determine whether stolen credit card information is valid. This information may have been purchased on the Dark Web from a data breach or could have been stolen directly by the fraudster using phishing, ransomware, or other hacking methods.
Once cyber thieves have the stolen information, such as credit card numbers or social security numbers, they will attempt several small purchases on an e-commerce page to see if the credit card is still active. They do this because cards are often stolen weeks or months prior and may have been deactivated by the cardholder or bank.
If the transaction is successful, they can then move on to use that card for bigger purchases on other websites or they can resell that card information to someone else.
Learn more about card testing and what it looks like.
Non-Payment or Non-Delivery Charges
A non-payment scam occurs when goods or services are provided or shipped, but the seller never receives payment. Vice versa, a non-delivery scam takes place when a buyer pays for goods online, but never receives their items.
To avoid falling for these traps, make sure the website you are buying from is legitimate and secure – if it doesn’t have an https in the web address, this means the website is not secure and you should avoid entering your information. If you are the seller, make sure your business processes payments before sending any products.
Distributed Denial of Services (DDoS) Attacks
Another threat for businesses around the holidays is Distributed Denial of Services (DDoS) attacks. A DDoS attack is when the hackers purposefully disrupt the normal traffic of a server, service, or network with a flood of internet traffic so that it cannot operate or communicate properly.
As the global pandemic created more urgency for online operations, this has presented new opportunities for DDoS scams to take place and cyber criminals are taking full advantage. To prevent or help mitigate DDoS attacks you can:
- Increase bandwidth to help handle traffic spikes
- Switch to cloud-based services
- Take advantage of anti-DDoS hardware and software
Phishing Emails
Phishing emails are one of the most common types of cybercrime and continues to be a top complaint received by the FBI’s Internet Crime Complaint Center. Phishing scams have increased year-over-year, with 255 million attacks reported in 2022 – an increase of sixty one percent from 2021.
Many phishing emails seem like they are from legitimate sources and will either request personal information or have links and downloads that will infect your computer with a virus or malicious malware called ransomware. Once your computer is infected, scammers will steal your personal information or hold your computer hostage until you pay them.
To avoid becoming a victim of phishing, keep browsers updated, install firewalls and train employees in basic cybersecurity practices.
Fraud Prevention and Detection – The Basics
It is evident that e-commerce sales – along with e-commerce fraud – will continue to grow. Many retailers will struggle with maintaining bandwidth, monitoring fraud, securing mobile shopping platforms, and managing holiday chargebacks. For ultimate credit card protection, it’s important to immediately review your credit card verification processes and fix any issues in advance of the busy holiday rush.
- Use reCAPTCHA to deter bots from testing credit cards
- Use Address Verification (AVS) to ensure cardholder billing addresses match orders
- Require CVV codes on all credit and debit card purchases
- Flag multiple order attempts from the same IP address
- Ensure order addresses and IP addresses are from the same country
- Review your email database for hacked addresses
There are also additional measures that you and your employees can take to help spot online fraud. Be on the lookout for purchases where:
- The shipping address does not match billing address
- The purchaser attempts to circumvent your usual payment process (e.g. sending credit card information via email rather than entering it on your website)
- The order is for an unusually large amount of items
- The purchaser wants items rushed or shipped next day shipping (this is not necessarily suspicious on its own but should be noted if there are other red flags)
- The order is from another country – particularly if you sell items that could be easily obtained in any country
- The customer tries different expiration dates after initial decline
- The customer purchases large amount of the same item
Check out our most common FAQs on fraud, card testing, and preventative tools.
Strategies and Tools to Safeguard Your Checkout from Fraud
Fraudsters will always look for vulnerabilities to steal consumer payment data, and although fraud prevention is not foolproof, there are several strategies you can use to effectively reduce the risk of fraudulent activity. The following steps can help make your checkout process more secure.
- Enable security tools like reCAPTCHA. This service prevents automated bots or scripts from submitting payment forms and requires users to click a checkbox – like asking the users to match words with images in a simple puzzle – if malicious targeting is detected.
- Enabling CVV Verification. Enabling zip code validation, address verification, and CVV on the payment page adds another layer of security. CVVs are harder to compromise than card numbers and expiration dates, so requiring them on your payment form is optimal.
- Implement Transaction Velocity Checks. Merchants can turn on IP blocking rules and configure velocity checks that will automatically block transactions coming from unwanted sources while allowing transactions coming from specific IP addresses. It is recommended that merchants define their own rules to prevent fraudulent transaction attempts.
- Temporarily disable vulnerable forms. If all security protocols put in place still result in a compromise, temporarily disabling a payment form allows the merchant the ability to retain the page for future use without deleting the entire form.
- Verify users prior to displaying payment forms. Validating user sessions or requiring users to log in prior to accessing the payment form helps eliminate access by bad actors attempting card testing or validation of stolen credit cards.
- Use fraud-scoring tools. Bluefin encourages its merchants to learn more about Bluefin’s fraud-scoring tool, where they can leverage state-of-the-art machine learning models and established rules to identify good customers, analyze patterns and data, and highlight risky transactions. Fraud prevention requires analyzing devices, and associated identities transacting across digital channels and monitoring transaction data. Bluefin recommends its merchants adopt a strategy that helps minimize risk and reduce losses caused by card-not-present fraud.
- Bluefin also has various internal monitoring mechanisms through our PayConex™ payment gateway that help detect critical vulnerability indicators like high traffic in a short amount of time with the same attributes, low transaction values, increase in failed authorizations, and specific decline codes.
Finally, it’s imperative that merchants make Personally Identifiable Information (PII), Protected Health Information (PHI), and cardholder data worthless on the web. Take advantage of our ShieldConex™ data security platform, which utilizes both hardware-based encryption and valetless tokenization to secure sensitive data entered online.
Get a Jump Today on Potential Holiday Fraud
As the holiday season picks up, it can become difficult for businesses to track and monitor every instance of fraud. As a result, holiday orders can face less stringent vetting and at peak volume, holiday orders can become harder to vet because sales tend to be abnormal. And while some unusual activity can be reviewed manually, such appraisals can slow down transaction volume. This waiting period can be dangerous when you consider that two thirds of online shoppers may not return after an incorrect fraud assessment.
To reduce chargebacks or the possibility of having your website — and revenue source — shut down by hackers, identify your customers, flag suspicious activity, and use two-factor identification to confirm that customers are who they say they are.
Regardless of what the holidays bring, Bluefin will be with you every step of the way — offering seamless PCI-validated Point-to-Point Encryption (P2PE) technology for POS transactions and ShieldConex® for e-commerce payments. To keep your company safe and secure, contact Bluefin today and learn more about our security solutions.